How Your Business Can Prepare For Indiana’s Consumer Data Protection Act (INCDPA)

Introduction 

Indiana follows Iowa as the second state privacy law to pass its state legislature in 2023. 

SB 5 or Indiana’s Consumer Data Protection bill will go into effect on January 1, 2026, giving businesses more than two years to get ready for it. 

Enhancing your business’ privacy program for California’s CPRA, Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA, and Iowa’s ICDPA in the meantime will give your business a great head start. 

Until then, here’s what your business needs to know about Indiana’s privacy law and how to prepare for 2026.

Does Indiana’s Privacy Law Apply to My Business?

Indiana’s privacy law applies to a “controller,” or a business entity that conducts business in Indiana or targets its products or services to Indiana consumers, and:

• Controls or processes the personal data of at least 100,000 Indiana consumers, or
• Controls or processes the personal data of at least 25,000 Indiana consumers and earns more than 50% of gross revenue from selling personal data. 

Like ICDPA, Indiana’s privacy law does not use a revenue threshold to determine who’s subject to it. Confirm that your business fulfills the criteria above to determine if it needs to comply with Indiana’s privacy law.

What Your Business Needs to Know About Indiana’s Privacy Law

Businesses subject to Indiana’s privacy law need to know what consumer rights and consent rights Indiana residents have, as well as the consequences of privacy violations. This sections will go over these requirements in more detail.

Consumer Rights

Like with all other state privacy laws, Indiana residents can exercise certain consumer rights including:

• Right to know and access
• Right to correction
• Right to deletion
• Right to portability
• Right to appeal

Similar to Iowa’s privacy law, Indiana consumers do not have a private right of action. Unlike Iowa, however, Indiana residents do have the ability to correct their data. 

Consent Requirements

Indiana residents are also given specific opt-out and opt-in rights.

In terms of opting out, Indiana consumers have the right to opt out of the processing of personal data for:

• Targeted advertising.
• Sale of personal data.
• Profiling.

Indiana clearly states what kinds of data processing consumers can opt out of, whereas Iowa is more vague about targeted advertising and doesn’t mention profiling at all. Both states do not require businesses to implement a universal opt-out mechanism for consent.  

In terms of opt-in rights, Indiana consumers have the right to opt into the processing of “sensitive data,” which includes:

• Racial or ethnic origin, religious beliefs, mental or physical health diagnosis made by a healthcare provider, sexual orientation, or citizenship or immigration status.
• Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual.
• Personal data collected from a known child (under 13 years old).
• Precise geolocation data.

Violations and Enforcement

The Attorney General of Indiana has sole authority over enforcing Indiana’s consumer data protection law. 

Businesses must respond to consumers’ rights and consent requests within 45 days and can extend for an additional 45 days. Controllers also have a 30-day cure period to fix violations and can face a civil penalty of $7,500 per violation.

What Your Business Needs to Do to Comply with Indiana’s Privacy Law

Now that you know what consumer and consent rights Indiana residents have, as well as the consequences for violations, let’s go over the additional business obligations your business needs to fulfill. 

Prioritize Transparency

Chapter 4 of Indiana’s privacy law titled “Data Controller Responsibilities,” emphasizes the need for transparency in privacy practices.

Businesses must publish easily accessible privacy notices on their websites detailing:

• The categories of personal data processed by the controller.
• The purpose for processing personal data.
• How consumers may exercise their consumer rights including how a consumer may appeal a controller’s decision with regard to the consumer’s request.
• The categories of personal data that the controller shares with third parties.
• The categories of third parties, if any, with whom the controller shares personal data.

The Attorney General may publish sample privacy notices on its website for reference. Work with your legal team to create a privacy notice that includes all of the required information before January 1, 2026.

Enter Data Processing Contracts 

Businesses must also enter data processing contracts between processors or entities that “process personal data on behalf of a controller.”

These contracts must establish the terms of how the processor processes personal data for the controller, as well as the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors.

If your business works with processors or subcontractors that process data on your behalf, be sure to enter a legally binding data processing contract with each of them.

Perform Data Protection Impact Assessments (DPIAs)

Indiana’s privacy law requires businesses to perform data protection impact assessments (DPIAs). DPIAs require businesses to carefully assess the risks of activities that involve processing data. 

Companies operating in Indiana must weigh the business benefits against the potential risks to consumers on the following activities:

• Processing personal data for targeted advertising. 
• Selling personal data. 
• Processing of personal data for purposes of profiling,
• Processing of sensitive data.
• Using de-identified data
• Any processing activities that could increase the risk of harm to consumers. 

The Attorney General can request a DPIA to determine whether a company is compliant or not. To make sure you’re ready for Indiana’s regulators, conduct and document DPIAs for the above processing activities.

Process De-identified Data and Pseudonymous Data Securely

A unique provision of Indiana’s privacy law is its explicit instructions for processing de-identified and pseudonymous data. This is the first U.S. state privacy law to specify steps for processing these types of data categories. 

Businesses that process de-identified and pseudonymous data must:

1. Take reasonable measures to ensure that the data cannot be associated with an individual.
2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data.
3. Demonstrate that any information necessary to identify the consumer form pseudonymous data is kept separately with technical and organizational controls.

If your business processes de-identified and pseudonymous data, make sure the required controls and safeguards are put in place by January 1, 2026.

How Ethyca Can Help Your Business Comply with Iowa’s Privacy Law

Keeping track of all of the new U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy to comply with all privacy regulations, no matter what state or jurisdiction, through the Fides privacy intelligence platform.

With Fides, your business will be able to automate business obligations for all state privacy laws.

Read on to learn how.

Automated Data Subject Requests Fulfillment

All privacy regulations require businesses to fulfill users’ subject requests, or data subject requests (DSRs). Unfortunately, this process is often costly, labor-intensive, and causes lots of friction between legal and engineering teams.

The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end. With Fides, users can submit their requests through a Privacy Center on your website and verify their identity via SMS or email.

After requests are submitted, you can approve or deny them in an easy-to-use Admin UI. Users will receive an email containing a link to the data they requested in a machine-readable format or a confirmation that all of their data has been corrected or erased.

Fides will also maintain a log of the requests your business has processed. That way, you can prove to regulators your business’ privacy practices are compliant.

Easy Consent Management

Different privacy regulations require different opt-in and opt-out requirements your business must follow. With Fides, your business can easily manage users’ consent preferences for any privacy law.

Fides will help you you to set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with multiple privacy laws at the same time.

Users will be able to submit their consent preferences via the same Privacy Center they would use to submit DSRs. With the same Admin UI, your business will be able to easily process and record users’ consent preferences as proof of compliance. 

Real-Time Data Visualization

What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. After connecting with all systems Fides will be able to produce an automated data map of where data resides and flows throughout your organization.

Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you a real-time, accurate inventory of all the data in your systems, i.e. what the data is, where it flows, and where it’s stored.

In fact, connecting to all of your systems is how Fides can automate data subject requests and consent management in the first place. The Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.

Conclusion

Iowa and Indiana are the first couple of privacy laws to pass in 2023, but more are constantly on the way. Your business will need to look ahead and prepare for all of the coming privacy regulations passing through state legislatures. 

Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or current privacy laws, schedule a free 15-minute call with one of our privacy advisors right now.